1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This code is made available to you under your choice of the following sets
4 * of licensing terms:
5 */
6 /* This Source Code Form is subject to the terms of the Mozilla Public
7 * License, v. 2.0. If a copy of the MPL was not distributed with this
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 */
10 /* Copyright 2016 Mozilla Contributors
11 *
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
15 *
16 * http://www.apache.org/licenses/LICENSE-2.0
17 *
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 */
24
25 #include "pkixgtest.h"
26
27 #include "mozpkix/pkixder.h"
28 #include "mozpkix/pkixutil.h"
29
30 using namespace mozilla::pkix;
31 using namespace mozilla::pkix::test;
32
33 namespace mozilla { namespace pkix {
34
35 extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
36 const Input* encodedExtendedKeyUsage,
37 KeyPurposeId requiredEKU,
38 TrustDomain& trustDomain, Time notBefore);
39
40 } } // namespace mozilla::pkix
41
42 class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test
43 {
44 protected:
45 DefaultCryptoTrustDomain mTrustDomain;
46 };
47
48 #define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_CERT_TYPE, x)
49
50 // tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h
51
52 // tlv_id_kp_clientAuth and tlv_id_kp_codeSigning are defined in pkixgtest.h
53
54 // python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4
55 static const uint8_t tlv_id_kp_emailProtection[] = {
56 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
57 };
58
59 // python DottedOIDToCode.py --tlv id-Netscape-stepUp 2.16.840.1.113730.4.1
60 static const uint8_t tlv_id_Netscape_stepUp[] = {
61 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01
62 };
63
64 // python DottedOIDToCode.py --tlv unknownOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
65 static const uint8_t tlv_unknownOID[] = {
66 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
67 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
68 };
69
70 // python DottedOIDToCode.py --tlv anyExtendedKeyUsage 2.5.29.37.0
71 static const uint8_t tlv_anyExtendedKeyUsage[] = {
72 0x06, 0x04, 0x55, 0x1d, 0x25, 0x00
73 };
74
TEST_F(pkixcheck_CheckExtendedKeyUsage,none)75 TEST_F(pkixcheck_CheckExtendedKeyUsage, none)
76 {
77 // The input Input is nullptr. This means the cert had no extended key usage
78 // extension. This is always valid except for when the certificate is an
79 // end-entity and the required usage is id-kp-OCSPSigning.
80
81 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
82 nullptr,
83 KeyPurposeId::anyExtendedKeyUsage,
84 mTrustDomain, Now()));
85 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
86 KeyPurposeId::anyExtendedKeyUsage,
87 mTrustDomain, Now()));
88 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
89 nullptr,
90 KeyPurposeId::id_kp_serverAuth,
91 mTrustDomain, Now()));
92 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
93 KeyPurposeId::id_kp_serverAuth,
94 mTrustDomain, Now()));
95 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
96 nullptr,
97 KeyPurposeId::id_kp_clientAuth,
98 mTrustDomain, Now()));
99 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
100 KeyPurposeId::id_kp_clientAuth,
101 mTrustDomain, Now()));
102 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
103 nullptr,
104 KeyPurposeId::id_kp_codeSigning,
105 mTrustDomain, Now()));
106 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
107 KeyPurposeId::id_kp_codeSigning,
108 mTrustDomain, Now()));
109 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
110 nullptr,
111 KeyPurposeId::id_kp_emailProtection,
112 mTrustDomain, Now()));
113 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
114 KeyPurposeId::id_kp_emailProtection,
115 mTrustDomain, Now()));
116 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
117 KeyPurposeId::id_kp_OCSPSigning,
118 mTrustDomain, Now()));
119 ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
120 KeyPurposeId::id_kp_OCSPSigning,
121 mTrustDomain, Now()));
122 }
123
124 static const Input empty_null;
125
TEST_F(pkixcheck_CheckExtendedKeyUsage,empty)126 TEST_F(pkixcheck_CheckExtendedKeyUsage, empty)
127 {
128 // The input Input is empty. The cert has an empty extended key usage
129 // extension, which is syntactically invalid.
130 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
131 KeyPurposeId::id_kp_serverAuth,
132 mTrustDomain, Now()));
133 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
134 KeyPurposeId::id_kp_serverAuth,
135 mTrustDomain, Now()));
136
137 static const uint8_t dummy = 0x00;
138 Input empty_nonnull;
139 ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
140 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
141 KeyPurposeId::id_kp_serverAuth,
142 mTrustDomain, Now()));
143 ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
144 KeyPurposeId::id_kp_serverAuth,
145 mTrustDomain, Now()));
146 }
147
148 struct EKUTestcase
149 {
150 ByteString ekuSEQUENCE;
151 KeyPurposeId keyPurposeId;
152 Result expectedResultEndEntity;
153 Result expectedResultCA;
154 };
155
operator <<(::std::ostream & os,const EKUTestcase &)156 ::std::ostream& operator<<(::std::ostream& os, const EKUTestcase&)
157 {
158 return os << "TODO (bug 1318770)";
159 }
160
161 class CheckExtendedKeyUsageTest
162 : public ::testing::Test
163 , public ::testing::WithParamInterface<EKUTestcase>
164 {
165 protected:
166 DefaultCryptoTrustDomain mTrustDomain;
167 };
168
TEST_P(CheckExtendedKeyUsageTest,EKUTestcase)169 TEST_P(CheckExtendedKeyUsageTest, EKUTestcase)
170 {
171 const EKUTestcase& param(GetParam());
172 Input encodedEKU;
173 ASSERT_EQ(Success, encodedEKU.Init(param.ekuSEQUENCE.data(),
174 param.ekuSEQUENCE.length()));
175 ASSERT_EQ(param.expectedResultEndEntity,
176 CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &encodedEKU,
177 param.keyPurposeId,
178 mTrustDomain, Now()));
179 ASSERT_EQ(param.expectedResultCA,
180 CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &encodedEKU,
181 param.keyPurposeId,
182 mTrustDomain, Now()));
183 }
184
185 #define SINGLE_EKU_SUCCESS(oidBytes, keyPurposeId) \
186 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
187 Success, Success }
188 #define SINGLE_EKU_SUCCESS_CA(oidBytes, keyPurposeId) \
189 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
190 Result::ERROR_INADEQUATE_CERT_TYPE, Success }
191 #define SINGLE_EKU_FAILURE(oidBytes, keyPurposeId) \
192 { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
193 Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
194 #define DOUBLE_EKU_SUCCESS(oidBytes1, oidBytes2, keyPurposeId) \
195 { TLV(der::SEQUENCE, \
196 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
197 keyPurposeId, \
198 Success, Success }
199 #define DOUBLE_EKU_SUCCESS_CA(oidBytes1, oidBytes2, keyPurposeId) \
200 { TLV(der::SEQUENCE, \
201 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
202 keyPurposeId, \
203 Result::ERROR_INADEQUATE_CERT_TYPE, Success }
204 #define DOUBLE_EKU_FAILURE(oidBytes1, oidBytes2, keyPurposeId) \
205 { TLV(der::SEQUENCE, \
206 BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
207 keyPurposeId, \
208 Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
209
210 static const EKUTestcase EKU_TESTCASES[] =
211 {
212 SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::anyExtendedKeyUsage),
213 SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_serverAuth),
214 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_clientAuth),
215 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning),
216 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection),
217 SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning),
218
219 SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
220 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
221 SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
222 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
223 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
224 SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
225
226 SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
227 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
228 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
229 SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
230 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
231 SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
232
233 SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
234 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
235 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
236 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
237 SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
238 SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
239
240 // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed
241 // except OCSPSigning.
242 SINGLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
243 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
244 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
245 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
246 SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
247 SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
248
249 SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
250 // For compatibility, id-Netscape-stepUp is treated as equivalent to
251 // id-kp-serverAuth for CAs.
252 SINGLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
253 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
254 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
255 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
256 SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
257
258 SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
259 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
260 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
261 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
262 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
263 SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
264
265 SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
266 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
267 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
268 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
269 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
270 SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
271
272 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
273 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
274 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
275 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
276 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
277 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
278
279 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
280 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
281 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
282 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
283 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
284 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
285
286 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
287 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
288 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
289 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
290 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
291 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
292
293 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
294 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
295 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
296 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
297 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
298 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
299
300 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
301 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
302 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
303 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
304 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
305 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
306
307 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
308 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
309 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
310 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
311 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
312 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
313
314 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
315 DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
316 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
317 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
318 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
319 DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
320
321 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
322 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
323 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
324 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
325 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
326 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
327
328 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
329 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
330 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
331 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
332 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
333 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
334
335 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
336 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
337 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
338 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
339 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
340 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
341
342 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
343 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
344 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
345 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
346 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
347 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
348
349 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
350 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
351 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
352 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
353 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
354 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
355
356 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
357 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
358 DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
359 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
360 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
361 DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
362
363 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
364 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
365 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
366 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
367 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
368 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
369
370 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
371 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
372 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
373 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
374 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
375 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
376
377 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
378 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
379 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
380 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
381 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
382 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
383
384 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
385 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
386 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
387 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
388 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
389 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
390
391 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
392 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
393 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
394 DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
395 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
396 DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
397
398 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
399 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
400 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
401 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
402 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
403 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
404
405 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
406 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
407 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
408 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
409 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
410 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
411
412 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
413 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
414 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
415 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
416 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
417 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
418
419 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
420 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
421 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
422 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
423 DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
424 DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
425
426 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
427 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
428 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
429 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
430 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
431 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
432
433 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
434 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
435 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
436 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
437 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
438 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
439
440 DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
441 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
442 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
443 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
444 DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
445 DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
446
447 DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
448 DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
449 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
450 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
451 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
452 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
453
454 DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
455 DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
456 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
457 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
458 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
459 DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
460
461 DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
462 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
463 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
464 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
465 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
466 DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
467 };
468
469 INSTANTIATE_TEST_SUITE_P(pkixcheck_CheckExtendedKeyUsage,
470 CheckExtendedKeyUsageTest,
471 ::testing::ValuesIn(EKU_TESTCASES));
472
473 struct EKUChainTestcase
474 {
475 ByteString ekuExtensionEE;
476 ByteString ekuExtensionCA;
477 KeyPurposeId keyPurposeId;
478 Result expectedResult;
479 };
480
operator <<(::std::ostream & os,const EKUChainTestcase &)481 ::std::ostream& operator<<(::std::ostream& os, const EKUChainTestcase&)
482 {
483 return os << "TODO (bug 1318770)";
484 }
485
486 class CheckExtendedKeyUsageChainTest
487 : public ::testing::Test
488 , public ::testing::WithParamInterface<EKUChainTestcase>
489 {
490 };
491
492 static ByteString
CreateCert(const char * issuerCN,const char * subjectCN,EndEntityOrCA endEntityOrCA,ByteString encodedEKU)493 CreateCert(const char* issuerCN, const char* subjectCN,
494 EndEntityOrCA endEntityOrCA, ByteString encodedEKU)
495 {
496 static long serialNumberValue = 0;
497 ++serialNumberValue;
498 ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
499 EXPECT_FALSE(ENCODING_FAILED(serialNumber));
500
501 ByteString issuerDER(CNToDERName(issuerCN));
502 ByteString subjectDER(CNToDERName(subjectCN));
503
504 ByteString extensions[3];
505 extensions[0] =
506 CreateEncodedBasicConstraints(endEntityOrCA == EndEntityOrCA::MustBeCA,
507 nullptr, Critical::Yes);
508 EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
509 if (encodedEKU.length() > 0) {
510 extensions[1] = encodedEKU;
511 }
512
513 ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
514 ByteString certDER(CreateEncodedCertificate(
515 v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
516 oneDayBeforeNow, oneDayAfterNow, subjectDER,
517 *reusedKey, extensions, *reusedKey,
518 sha256WithRSAEncryption()));
519 EXPECT_FALSE(ENCODING_FAILED(certDER));
520
521 return certDER;
522 }
523
524 class EKUTrustDomain final : public DefaultCryptoTrustDomain
525 {
526 public:
EKUTrustDomain(ByteString issuerCertDER)527 explicit EKUTrustDomain(ByteString issuerCertDER)
528 : mIssuerCertDER(issuerCertDER)
529 {
530 }
531
532 private:
GetCertTrust(EndEntityOrCA,const CertPolicyId &,Input candidateCert,TrustLevel & trustLevel)533 Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
534 TrustLevel& trustLevel) override
535 {
536 trustLevel = InputEqualsByteString(candidateCert, mIssuerCertDER)
537 ? TrustLevel::TrustAnchor
538 : TrustLevel::InheritsTrust;
539 return Success;
540 }
541
FindIssuer(Input,IssuerChecker & checker,Time)542 Result FindIssuer(Input, IssuerChecker& checker, Time) override
543 {
544 Input derCert;
545 Result rv = derCert.Init(mIssuerCertDER.data(), mIssuerCertDER.length());
546 if (rv != Success) {
547 return rv;
548 }
549 bool keepGoing;
550 return checker.Check(derCert, nullptr, keepGoing);
551 }
552
CheckRevocation(EndEntityOrCA,const CertID &,Time,Duration,const Input *,const Input *,const Input *)553 Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
554 const Input*, const Input*, const Input*) override
555 {
556 return Success;
557 }
558
IsChainValid(const DERArray &,Time,const CertPolicyId &)559 Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
560 {
561 return Success;
562 }
563
564 ByteString mIssuerCertDER;
565 };
566
TEST_P(CheckExtendedKeyUsageChainTest,EKUChainTestcase)567 TEST_P(CheckExtendedKeyUsageChainTest, EKUChainTestcase)
568 {
569 const EKUChainTestcase& param(GetParam());
570 ByteString issuerCertDER(CreateCert("CA", "CA", EndEntityOrCA::MustBeCA,
571 param.ekuExtensionCA));
572 ByteString subjectCertDER(CreateCert("CA", "EE",
573 EndEntityOrCA::MustBeEndEntity,
574 param.ekuExtensionEE));
575
576 EKUTrustDomain trustDomain(issuerCertDER);
577
578 Input subjectCertDERInput;
579 ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
580 subjectCertDER.length()));
581 ASSERT_EQ(param.expectedResult,
582 BuildCertChain(trustDomain, subjectCertDERInput, Now(),
583 EndEntityOrCA::MustBeEndEntity,
584 KeyUsage::noParticularKeyUsageRequired,
585 param.keyPurposeId,
586 CertPolicyId::anyPolicy,
587 nullptr));
588 }
589
590 static const EKUChainTestcase EKU_CHAIN_TESTCASES[] =
591 {
592 {
593 // Both end-entity and CA have id-kp-serverAuth => should succeed
594 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
595 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
596 KeyPurposeId::id_kp_serverAuth,
597 Success
598 },
599 {
600 // CA has no EKU extension => should succeed
601 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
602 ByteString(),
603 KeyPurposeId::id_kp_serverAuth,
604 Success
605 },
606 {
607 // End-entity has no EKU extension => should succeed
608 ByteString(),
609 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
610 KeyPurposeId::id_kp_serverAuth,
611 Success
612 },
613 {
614 // No EKU extensions at all => should succeed
615 ByteString(),
616 ByteString(),
617 KeyPurposeId::id_kp_serverAuth,
618 Success
619 },
620 {
621 // CA has EKU without id-kp-serverAuth => should fail
622 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
623 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
624 KeyPurposeId::id_kp_serverAuth,
625 Result::ERROR_INADEQUATE_CERT_TYPE
626 },
627 {
628 // End-entity has EKU without id-kp-serverAuth => should fail
629 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
630 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
631 KeyPurposeId::id_kp_serverAuth,
632 Result::ERROR_INADEQUATE_CERT_TYPE
633 },
634 {
635 // Both end-entity and CA have EKU without id-kp-serverAuth => should fail
636 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
637 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
638 KeyPurposeId::id_kp_serverAuth,
639 Result::ERROR_INADEQUATE_CERT_TYPE
640 },
641 {
642 // End-entity has no EKU, CA doesn't have id-kp-serverAuth => should fail
643 ByteString(),
644 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
645 KeyPurposeId::id_kp_serverAuth,
646 Result::ERROR_INADEQUATE_CERT_TYPE
647 },
648 {
649 // End-entity doesn't have id-kp-serverAuth, CA has no EKU => should fail
650 CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
651 ByteString(),
652 KeyPurposeId::id_kp_serverAuth,
653 Result::ERROR_INADEQUATE_CERT_TYPE
654 },
655 {
656 // CA has id-Netscape-stepUp => should succeed
657 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
658 CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
659 KeyPurposeId::id_kp_serverAuth,
660 Success
661 },
662 {
663 // End-entity has id-Netscape-stepUp => should fail
664 CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
665 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
666 KeyPurposeId::id_kp_serverAuth,
667 Result::ERROR_INADEQUATE_CERT_TYPE
668 },
669 {
670 // End-entity and CA have id-kp-serverAuth and id-kp-clientAuth => should
671 // succeed
672 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
673 BytesToByteString(tlv_id_kp_clientAuth)),
674 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
675 BytesToByteString(tlv_id_kp_clientAuth)),
676 KeyPurposeId::id_kp_serverAuth,
677 Success
678 },
679 {
680 // End-entity has id-kp-serverAuth and id-kp-OCSPSigning => should fail
681 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
682 BytesToByteString(tlv_id_kp_OCSPSigning)),
683 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
684 BytesToByteString(tlv_id_kp_clientAuth)),
685 KeyPurposeId::id_kp_serverAuth,
686 Result::ERROR_INADEQUATE_CERT_TYPE
687 },
688 {
689 // CA has id-kp-serverAuth and id-kp-OCSPSigning => should succeed
690 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
691 BytesToByteString(tlv_id_kp_clientAuth)),
692 CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
693 BytesToByteString(tlv_id_kp_OCSPSigning)),
694 KeyPurposeId::id_kp_serverAuth,
695 Success
696 },
697 };
698
699 INSTANTIATE_TEST_SUITE_P(pkixcheck_CheckExtendedKeyUsage,
700 CheckExtendedKeyUsageChainTest,
701 ::testing::ValuesIn(EKU_CHAIN_TESTCASES));
702